Pointer arithmetic must be performed only on pointers that reference elements of array objects.
The C Standard, 6.5.6 [ISO/IEC 9899:2011], states the following about pointer arithmetic:
When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression.
Noncompliant Code Example
This noncompliant code example attempts to access structure members using pointer arithmetic. This practice is dangerous because structure members are not guaranteed to be contiguous.
struct numbers { short num_a, num_b, num_c; }; int sum_numbers(const struct numbers *numb){ int total = 0; const short *numb_ptr; for (numb_ptr = &numb->num_a; numb_ptr <= &numb->num_c; numb_ptr++) { total += *(numb_ptr); } return total; } int main(void) { struct numbers my_numbers = { 1, 2, 3 }; sum_numbers(&my_numbers); return 0; }
Compliant Solution
It is possible to use the ->
operator to dereference each structure member:
total = numb->num_a + numb->num_b + numb->num_c;
However, this solution results in code that is hard to write and hard to maintain (especially if there are many more structure members), which is exactly what the author of the noncompliant code example was likely trying to avoid.
Compliant Solution
A better solution is to define the structure to contain an array member to store the numbers in an array rather than a structure, as in this compliant solution:
#include <stddef.h> struct numbers { short a[3]; }; int sum_numbers(const short *numb, size_t dim) { int total = 0; for (size_t i = 0; i < dim; ++i) { total += numb[i]; } return total; } int main(void) { struct numbers my_numbers = { .a[0]= 1, .a[1]= 2, .a[2]= 3}; sum_numbers( my_numbers.a, sizeof(my_numbers.a)/sizeof(my_numbers.a[0]) ); return 0; }
Array elements are guaranteed to be contiguous in memory, so this solution is completely portable.
Exceptions
ARR37-EX1: Any non-array object in memory can be considered an array consisting of one element. Adding one to a pointer to such an object yields a pointer one element past the array, and subtracting one from that pointer yields the original pointer. This allows for code such as the following:
#include <stdlib.h> #include <string.h> struct s { char *c_str; /* Other members */ }; struct s *create_s(const char *c_str) { struct s *ret; size_t len = strlen(c_str) + 1; ret = (struct s *)malloc(sizeof(struct s) + len); if (ret != NULL) { ret->c_str = (char *)(ret + 1); memcpy(ret + 1, c_str, len); } return ret; }
A more general and safer solution to this problem is to use a flexible array member that guarantees that the array that follows the structure is properly aligned by inserting padding, if necessary, between it and the member that immediately precedes it.
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR37-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
|
|
| |
PRQA QA-C | Unable to render {include} The included page could not be found. | 2930, 2931, 2932, 2933, 2934 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[Banahan 2003] | Section 5.3, "Pointers" Section 5.7, "Expressions Involving Pointers" |
[ISO/IEC 9899:2011] | 6.5.6, "Additive Operators" |
[VU#162289] |